Loading...
image
In this brief primer we'll take a look at the main ways websites a hacked and see what things we can do to prevent attacks, stop them from being successful and limit damage when all else fails.

Ongoing Projects

Microcyte Content Management System
Microcyte is a PHP/javascript based website Content Management System. Its main feature is direct inline in-place editing of content.
image
Snatch (Mac OS X)
Snatch is a website scraping tool which can be used to retrieve links, images and email addresses from a given webpage and linked pages.
image
Distribution (Mac OS X)
Distributions is a mailing list management tool for Mac OS X. It features support for Multiple Classifications and some CRM functions.
image
??? (Mac OS X)
This is a new project I am working on for OS X (leopard). more soon!
image

Opinions & Views

image Previous | Next image

Cloud Hosting
You may already have heard of Cloud Computing, Cloud Hosting is an exciting extension of this relatively new area.
Back Online!
I'm now back online after an outage in America caused my Hosting Provider some downtime.
Batch WMA conversion for iTunes
Recently I had to convert a shed load on WMA's to work with iTunes on a Mac, heres how I did it at no cost.
MicroCyte - The Database Question
As I work towards the 2.0 release of MicroCyte I wonder whether I should scrap XML/static files in favor of a database?
Review - iMac 24 inch
I've recently had the opportunity make extensive use of a 24" iMac 2.8Ghz, here's what I thought!
Gig Review - Nizlopi
Recently I went to see Nizlopi perform at the Norwich arts centre, here's what I thought
MicroCyte Released
MicroCyte has been released! head on over to microcyte.co.uk to checkout the demo and download your copy!
Microcyte Gets Firefox Support
Very soon Firefox 3 will be released. This update will mean support for Microcyte CMS.
Site Update - Big things coming
Regulars may have noticed that the site has been quiet for the last few days, click through to find out why!
Microcyte gets comments engine
In the last couple of days I've implemented a comments plugin for my Microcyte CMS
Implementing a Dynamic SQL module
In Part 3 of building a DAL in Classic ASP I look at how I implemented my Dynamic SQL module to fulfull my DAL requirements
Dynamic SQL as a Data Access Layer
In part 2 of building a DAL in Classic ASP I look at how to create a functional Dynamic SQL module.
Data Access Layers in Classic ASP
Classic ASP is not known for its rich data access tools, so I look at how you can build a strong Data Access Layer.
Scripting languages vs frameworks
Are there compelling reasons for an old school scripting house to move to a new fangled framework?
HTML 5 working draft announced
After 9 months of work, the W3C has published the first working draft of HTML 5.
Increasing turnover with e-shots
E-shots can help drive targeted traffic to your website, but how do you avoid making them look like SPAM?
Introduction to A/B testing
A/B testing can be used to dramically increase conversions on your e-commerce site. Here is basic overview.
Security - Social Engineering
In the final part of 'how websites get hacked' I'm going to look at Social Engineering, the non technical hack.
Security - XSS and SQL injection
In part 2 of 'how sites get hacked' we look at XSS and SQL Injection
Security - how sites get hacked
In this brief primer we look at how websites get hacked and what to do to protect yourself (part 1)
MacBook Air - the morning after
After the hype has cooled down, what are the pro's and con's of the new Apple MacBook Air
Macbook air 300 pounds more expensive
Opinion: why is the Macbook Air a full 300 pounds (600 dollars) more expensive than in the US?

How websites get hacked - Part 1

A few years ago it was considered cool and '1££7' for hackers to 'deface' websites, it was kind of badge of honor. These days websites still get hacked but for very different reasons. Today the key motivator is money and the driver is organised crime.
 
Hackers can gain access to your site either to steal the personal information stored on it, infect your users with spyware and adware which will track their every online move, or to redirect your users to other sites which contain all sorts of nasties. At the moment, if a user of your website is infected because your site has been hacked, there is no real action that can be taken against you. As this sort of thing gets more common you can expect the legislation to change and include a 'duty of care' to make high profile websites keep themselves clean.
 
Threats
So with that in mind, what are the potential threats and what can you do to protect yourself against them? The threats break down into five main areas:
  1. Attacks on the underlying server and its software
  2. Attacks on the website application container (runtime level - ASP, PHP, etc)
  3. Attacks on the website database (MySQL, MS SQL Server, Oracle, etc)
  4. Attacks on weaknesses in the website code itself
  5. Social engineering attacks
Techies may look at points 1 and 2 and think that they are largely the same issue but I think there is a subtle distinction between an attack on the server software (like say Linux/Apache) and an attack which exploits a problem with PHP or ASP for example.
 
Server level security
As a web developer, there is very little you can do about points 1 and 2 except pick the most suitable server technology and development technology for the level of security you want to attain. Banks for example tend to use Java (JSP/Servlets) on something like Sun's Solaris operating system because used correctly its a very, very secure software stack and they can afford to add loads of hardware to boost performance. Of course many web developers are not used to writing web apps in Java and performance wise its not great so if you don't need bank-vault levels of security, there are other more suitable options
 
The more popular of these options at present tend to be PHP, Microsoft's ASP (both classic and the newer .Net framework) and Ruby on Rails which is increasingly gaining traction. They all take security seriously at an application level although they don't prevent the programmer from making stupid mistakes.
 
Increasingly, the key at this level is to make sure you're running the latest production version of the software, this will be the most patched version and will have the least security holes. Running older versions may leave your server vulnerable to automated scanning bots which are designed to exploit specific security holes automatically.
 
In general, the trick here to to make sure you've got a really good sysadmin who is suitably paranoid and knows what they are doing. This is an area of expertise in itself and sysadmins are paid good money to be on the ball. Its really too much to expect a web developer to be a good developer and a knowledgeable sysadmin, there is just too much to know.
 
Securing the Database
A website of any great complexity will usually have a database behind it to help store and organise content. Sometimes this database will contain some personal information of the regular users of the site, think "My Account" functionality in a e-commerce store, or even something as simple as a newsletter sign up form. Hackers (technically called Crackers or black hats in the industry) will try to gain access to the database either directly or through the website code.
 
Many hosting companies prevent direct access to the database by putting it behind a firewall or stopping it from accepting an connections from anywhere other than the machine its actually running on (local connections only). This is good from a security standpoint but a pain in the behind for developers who often don't have direct physical access to the server.
 
A good middle road is to provide an encrypted connection to the server via something like a Virtual Private Network (VPN) and allow the database to accept connections through that. A lot of custom setup is involved in something like this though and it could get quite expensive if you don't have your own dedicated server and a good working relationship with the administrator of the network it sits on!
 
If you absolutely need access to the database server from a remote location and a VPN is no good then you have to allow the database server to accept remote connections. Here you can use a firewall to limit the IP or MAC addresses of the remote connections. You will also need to limit the power of the user accounts that can access the database. If you don't need the ability to drop tables or delete rows, then disable it. Keep the root password safe and never, ever, use it. Always create user accounts of limited power for specific tasks, that way if anyone ever cracks one of the user accounts they wont have all the keys to the kingdom.
 
Keeping your data encrypted within the database tables is also a good call here. That way if the cracker ever gains direct access to those tables, they still have the task to decrypting the data before they've got anything useful. You could even go as far as using different encryption keys for different tables or using multiple encryption passes on the same data using different routines although thats a little extreme.
 
Part 1 Conclusion
As a web developer the platform choices you make can have a direct effect on how secure your site is, but in practice the choices and differences between platforms are relatively few unless you need extreme security. Securing the underlying database is at least as important as making sure your website code is secure. Forward planning and common sense here can make a hackers life much more difficult.
 
In the next part I'll talk about how the website code itself can be attacked and techniques that can be used to prevent a successful attack and limit damage.